CVE-2026-8727

Severity CVSS v4.0:

HIGH

Type:

CWE-502 Deserialization of Untrusted Dat

Publication date:

19/05/2026

Last modified:

19/05/2026

Description

The Crawler extension passes the X-T3Crawler-Meta response header from crawled URLs directly to PHP&#39;s unserialize(). An attacker controlling a crawled endpoint can inject arbitrary serialized PHP objects, leading to Remote Code Execution on the TYPO3 server. Exploitation requires administrative privileges to configure a crawler-enabled page and trigger the crawl via a Scheduler task.

Impact

Vector 4.0

CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L CVSS v4.0 Severity and Metrics:

Base Score: 7.10 HIGH
Vector: CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L

Attack Vector (AV): Network
Attack Complexity (AC): High
Attack Requirements (AT): Present
Privileges Required (PR): High
User Interaction (UI): Active
Confidentiality (VC): High
Integrity (VI): High
Availability (VA): High
Confidentiality (SC): Low
Integrity (SI): Low
Availability (SA): Low

Base Score 4.0

7.10

Severity 4.0

HIGH

References to Advisories, Solutions, and Tools

https://typo3.org/security/advisory/typo3-ext-sa-2026-008